February 23, 2015

The New York Times carried a fascinating story reporting that a New York private investigator is expected to plead guilty to charges of paying a "hacker-for-hire" firm to steal e-mail credentials. He reportedly has done some work for lawyers.

Separately, federal prosecutors in San Francisco announced the indictment of two private investigators and two computer hackers on charges that they illegally entered e-mail and Skype accounts to gather information for matters they were working on for clients. Some of the illegally gathered information was said to support a lawsuit.

These firms reportedly charge $50-$250 per account hacked.

It has long been suspected that some lawyers are utilizing the services of hacker-for-hire firms. They are not likely to fare well with the justice system or their disciplinary boards if they can be linked to this activity which clearly violates the law - and their ethical duties.

February 19, 2015

And so, on February 16th, the Wall Street Journalannounced that its B-Section, formerly known as "Marketplace" would now be known as "Business and Tech."

As the WSJ noted, "Algorithms direct our doctors and instruct our farmers. They will increasingly guide nearly every function in the modern enterprise. This is why it’s likely that your company’s next CEO is currently a CIO."

Law firms should take note of this small but significant development. Our industry is not immune to what's happening, however much we exhibit a tendency to cling to the practice of law the way it used to be. Those lawyers who remain hidebound will inevitably go the way of the dodo bird.

The message here is "No matter what business you're in, you absolutely must embrace technology."

February 18, 2015

I have no idea what President Obama really stands for on privacy issues these days.

Last week, as CNETreported, the President signed an executive order mandating the creation of specialized organizations that will allow the government and companies across the tech, finance, energy and health care industries to share information about threats as they occur.

Known as "information sharing and analysis organizations," or ISAOs, these new entities can be not-for-profit community organizations, membership groups or single companies. The U.S. Department of Homeland Security would then be authorized to approve classified information-sharing arrangements and to ensure that ISAOs can access classified threat information. The order would also fund the creation of a nonprofit organization to develop a set of voluntary standards for ISAOs. He shared his vision at a White House Summit held at Stanford University.

So here we are sitting around the campfire toasting marshmallows.

Except- not everyone. It appears to me that the government is meeting considerable resistance in its attempt to foster information-sharing. In fact, Facebook CEO Mark Zuckerberg, Yahoo CEO Marissa Mayer and Google's Larry Page and Eric Schmidt were all invited to the Stanford event, but didn't attend. Apple CEO Tim Cook spoke, but talking about people's rights to privacy and security.

During the same week, in a story from The Mac Observer (hat tip to Dave Ries), we have the President officially coming out in support of U.K. Prime Minister David Cameron's push for backdoor government access to private encrypted data, and even going so far as to suggest U.S. companies that offer ways to decrypt user data are patriots. The original American patriots must be rolling in their graves.

Forcing companies to build a way into their encrypted services to allow government access would give law enforcement agencies access to our private communications. It would also give criminals the same access. Back doors are vulnerabilities. And who in the heck would be nutty enough to buy American products which have built-in backdoor access for the U.S. government?

In the U.K., encrypted services that don't offer backdoors into data would be outlawed under the current proposal. Don't think that wouldn't come across the pond if it succeeds in the U.K.

I guess, now that I think about it, the real President Obama has already stood up.

February 17, 2015

While I concede that a Legacy Contact makes a certain amount of sense - and will work MOST of the time, I see trouble coming around the corner. Here's what Facebook has to say:

What is a legacy contact?

A legacy contact is someone you choose to look after your account if it's memorialized. Once your account is memorialized, your legacy contact will have the option to do things like:

Write a pinned post for your profile (ex: to share a final message on your behalf or provide information about a memorial service)

Respond to new friend requests (ex: old friends or family members who weren't yet on Facebook)

Update your profile picture and cover photo

There are things they can't do (see list here) but we live in a world where people think reality shows are real and where revenge porn is an everyday occurrence.

So here's what I foresee. Boy loves girl. Girl loves boy. They get married (or don't). And let's be modern about this. Girl loves girl and girl loves her back. Boy loves boy and boy loves him back.

As readers know, I live in the digital forensics world, where folks (married or not) break up. They often don't think to change EVEN their e-mail password. So you think they are going to remember to change their legacy guardian? A lot of them will not. Let the mischief begin.

Angry ex-lovers/spouses could post a photo (as your profile picture) of you six sheets to the wind and dancing on the bar in less than appropriate attire. And that's a mild image. They might have some really interesting things to post about you. Your final message could be quite the pièce de résistance. Burn in H*** you b****. Or b******. And there will be details to back up that sentiment.

You think digging a key into the side of your pretty little souped-up 4-wheel drive is bad? Just wait.

Having seen it all from disenchanted lovers/spouses, I would imagine they'll find whole new universes of revenge to explore. Will Facebook help out to undo the damage? Maybe. Maybe not. Quickly? Probably not. Could this present a legal issue on which someone might have to act? Of course.

I believe fervently in the malicious creativity of former lovers/spouses. I will report on that creativity as events unfold.

February 12, 2015

The New York Timesreported that two lawyers from a city-funded nonprofit group were forced to resign over their appearance in a rap video that endorsed murderous retribution for the death of Eric Garner.

The lawyers were with the Bronx Defenders and apparently knew that the video called for killing police officers. The group was told that it must impose disciplinary actions or lose its contract, worth about $20 million.

In a statement, the Bronx Defenders said it “looks forward to continuing to do what we do best — providing zealous and compassionate legal representation and advocacy on behalf of 35,000 indigent residents annually.”

The video was posted on YouTube the day after a grand jury voted in December not to bring criminal charges in Garner’s death. It grew popular after protests occurred throughout the city and concern about violence against the police grew. Two police officers were subsequently killed in Brooklyn.

The video shows a man dressed in Police Department blue staring down the barrel of a handgun as rappers say it is “time to start killing these coppers.”

The video showed two city-funded defense lawyers, Kumar Rao and Ryan Napoli. They are shown comforting a grieving mother in their Bronx Defender offices as they work on a case related to police brutality.

Rao said he found some of the lyrics he originally reviewed “troubling,” and expected to help edit the video before its release. Instead, Mr. Rao said he woke up early on December 4th and was “shocked” at the images that the rappers Maino, Jay Watts and Uncle Murda had chosen. He said the video "was designed to be fully about raising awareness in the community about the kinds of legal services that an office like ours could provide for people affected by this issue.”

Could he really have been that naive? Maybe, but his judgment was certainly poor at the very least - clearly there was no guarantee that he could adjust the finished product - and the lyrics alone would have stopped, in my opinion, the participation of any lawyer cognizant of his ethical duties.

February 11, 2015

This question certainly has dominated local/national news in the last couple of days.

Though many smart TVs can watch and listen to you, the attention has focused chiefly on the Samsung Smart TVs, many of which come equipped with voice recognition. The good news is that you can issue voice commands to the TV - the bad news is that what you say is sent over the Internet and is transmitted through a third party.

Creepy. Yes, there is a microphone on the screen when the voice recognition feature is on, and you can opt-out. But there are pre-programmed commands and it will collect those commands (but not your voice itself) even if you opt out.

Make sure you watch the CNN video on this topic. There is a way, with a little extra code, to get to the browser and get access to the camera and then watch you. You would be completely unaware. Imagine that as you watch TV undressing in your bedroom. You can cover the camera lens of course or unplug the TV from the home network when you're not using Smart TV features. Users tend not to take security measures even when available to them so this doesn't strike me as likely. They should also be using encrypted wireless access points - sometimes they are, but they are using older encryption that has been broken.

Remember that a smart TV is a computer and therefore vulnerable to hackers.

As people use the Internet on their TV, they will inevitably and stupidly do online banking via their television. Hackers are lusting for this - because, with relative ease, they can present a site that looks like your bank's site, but is controlled by them.

Once again, we'll be asking the ever popular question, "Are you smarter than a fifth grader?"

February 10, 2015

27001 Academy is an online learning center where you can get training and documentation for implementing the international standard for information security management, ISO 27001. The company has created a fascinating infographic showing the state of data breaches in 2014.

Here are some of the stats from the graphic.

2014 saw an increase of over 27.5% in data breaches in the U.S.

Total incidents in 2014: 783

Total incidents in 2013: 614

2014 vs. 2013: 27.5% increase

Although the number of breaches increased, the reported number of compromised records declined by 7.1%.

Total records in 2014: 85,611,528

Total records in 2013: 91,982,172

2014 vs. 2013: 7.1% decrease

For banking and government sectors, the risk of experiencing a data breach was higher than ever, with a 50% to 80% increase in security incidents in the last year.

The healthcare sector also saw a persistent and growing threat of breaches - it was the most affected of all the industries.

Organization Type

No. of incidents

(2014)

No. of incidents

(2013)

Banking/Credit/Financial

43

34

Business

258

195

Educational

57

54

Government/Military

92

60

Medical/Healthcare

333

271

The Anthem breach certainly highlighted the escalation in data breach for health-related businesses. And as I noted in yesterday's post, medical data is selling for far more on the black market than credit card data.

February 09, 2015

Health insurance company Anthem announced on February 4th that it had suffered what appears to be the largest breach ever in the health insurance industry, affecting about 80 million people.

Once the dust had settled slightly, The New York Times carried a good article on the breach. Anthem, one of the country’s largest health insurers, said the hackers did not appear to have stolen information about its customers’ medical claims. But medical identification numbers were taken, along with Social Security numbers, addresses and e-mail addresses, which could be used for medical fraud.

Medical identify theft is growing because it pays. In black-market auctions, complete patient medical records tend to fetch higher prices than credit card numbers. One security expert said that at one auction a patient medical record sold for $251, while credit card records were selling for 33 cents.

Signs continue to point to China as the source of the attack, but it is unknown whether this is a state-sponsored attack or simply cybercriminals.

Patient medical records typically include information not easily destroyed, including date of birth, Social Security numbers and even physical characteristics that make them more useful for things like identity theft, creation of visas or insurance fraud by fraudulently billing for expensive medical or dental procedures that were either never performed or performed on someone else. Some criminals have also tried a form of ransomware in which they threaten to reveal medical information unless they are paid. Creative SOBs, these hackers.

About 90 percent of health care organizations reported they had at least one data breach over the last two years, according to a survey from the Ponemon Institute, a privacy and data protection research firm. The founder, Larry Ponemon, a security expert, says most were because of employee negligence or system flaws, but a growing number are malicious or criminal.

And, if history holds true, having successfully breached one insurer, the attackers will try to breach others. Because that, apparently, is where the money is.

February 05, 2015

The ABA Journal carried a story on February 3rd that really made me take notice.

Texas oil company Moncrief Oil International abruptly dropped a $1.37 billion suit against a Russian competitor after the defense pointed out what appeared to be a fabricated document.

The trial exhibit, supposedly created in 2004, had an image created in 2012. Lawyers at Baker Botts who represented the defendant, Russian oil company OAO Gazprom, discovered the problem after a close examination of the document and a Google search.

Moncrief Oil International had produced the document at the close of discovery in its trade secrets case, saying it was an analysis that gave it a competitive edge in 2004, Gazprom alleged in a motion for sanctions. The document “is the cornerstone of Moncrief’s trade secrets claim,” the motion says. “And it is—we now know—a fabrication.”

Moncrief’s suit had claimed it reached an agreement with Gazprom to develop a natural gas field in Siberia, but Gazprom withdrew from the deal and stole Moncrief’s trade secrets from a study of prospects to sell natural gas in the United States. Gazprom denied there was a deal and denied stealing trade secrets.

When preparing for cross-examination, Baker Botts partner Van Beckwith and associate John Lawrence enlarged the trial exhibit and were puzzled by a label on a graphic it contained. The label said “figure 11.” That led them to wonder about figures 1 through 10, which weren’t in the document. Smart lawyers, eh? While it seems logical to do what they did, this would have escaped a lot of lawyers.

A Google search showed the graphic was taken from a June 2012 University of Texas research paper.

Moncrief dropped the suit and agreed not to refile in any jurisdiction. In exchange for the agreement, Gazprom agreed not to pursue sanctions according to Baker Botts. Nice work Baker Botts!

Sensei Enterprises, Inc.

3975 University Drive
Suite 225
Fairfax, VA 22030
703.359.0700

Disclaimer

This blog is intended to impart general information and does not offer specific legal advice. Use of this blog does not create an attorney-client relationship. If you require legal advice, consult an attorney.